XAISec - Explainable AI Security: An Early Discussion Paper on New Multidisciplinary Subfield In Pursuit of Building Trust in Security of AI systems

Today's Artificial Intelligence systems are at the epicenter of security threats across industries. Attackers are trying to turn AI systems against the organization and society, intending to cause harm at various levels. Security, along with the explainability of AI, is a cornerstone for Digital Trust and Trustworthy AI. AI-based systems provide new attack surfaces, and adversaries can utilize attack surfaces to construct attacks to exploit vulnerabilities. Mission-critical systems using AI need to address the crucial problem of AI Security(AISec) and Explainable AI (XAI). In the early version of the discussion paper, we propose the new sub-field of Explainable AI Security (XAISec) at the intersection of AISec, XAI, and Explainable Security (XSec) for Mission-critical systems. We propose that XAISec should aim to explain AI Security's workings (justification of attack and transparency about defense) at an appropriate level considering multiple aspects. XAISec is a niche multidisciplinary greenfield with an ascertained need and validated using informal interview settings. We invite constructive criticism, collaboration, and contribution to jump-start the sub-field. We believe that with XAISec as an integral part of AI, AI can impact millions of lives across the globe, enabling smarter, sustainable, and evolutionary transformations.

PICAndro: Packet InspeCtion-Based Android Malware Detection

The post-COVID epidemic world has increased dependence on online businesses for day-to-day life transactions over the Internet, especially using the smartphone or handheld devices. This increased dependence has led to new attack surfaces which need to be evaluated by security researchers. The large market share of Android attracts malware authors to launch more sophisticated malware (12000 per day). The need to detect them is becoming crucial. Therefore, in this paper, we propose PICAndro that can enhance the accuracy and the depth of malware detection and categorization using packet inspection of captured network traffic. The identified network interactions are represented as images, which are fed in the CNN engine. It shows improved performance with the accuracy of 99.12% and 98.91% for malware detection and malware class detection, respectively, with high precision.

Cybersecurity capabilities for critical infrastructure resilience

Purpose For many innovative organisations, Industry 4.0 paves the way for significant operational efficiencies, quality of goods and services and cost reductions. One of the ways to realise these benefits is to embark on digital transformation initiatives that may be summed up as the intelligent interconnectivity of people, processes, data and cyber-connected things. Sadly, this interconnectivity between the enterprise information technology (IT) and industrial control systems (ICS) environment introduces new attack surfaces for critical infrastructure (CI) operators. As a result of the ICS cybersecurity risk introduced by the interconnectivity between the enterprise IT and ICS networks, the purpose of this study is to identify the cybersecurity capabilities that CI operators must have to attain good cybersecurity resilience. Design/methodology/approach A scoping literature review of best practice international CI protection frameworks, standards and guidelines were conducted. Similar cybersecurity practices from these frameworks, standards and guidelines were grouped together under a corresponding National Institute of Standards and Technology (NIST) cybersecurity framework (CF) practice. Practices that could not be categorised under any of the existing NIST CF practices were considered new insights, and therefore, additions. Findings A CI cybersecurity capability framework comprising 29 capability domains (cybersecurity focus areas) was developed as an adaptation of the NIST CF with an added dimension. This added dimension emphasises cloud computing and internet of things (IoT) security. Each of the 29 cybersecurity capability domains is executed through various capabilities (cybersecurity processes and procedures). The study found that each cybersecurity capability can further be operationalised by a set of cybersecurity controls derived from various frameworks, standards and guidelines, such as COBIT®, CIS®, ISA/IEC 62443, ISO/IEC 27002 and NIST Special Publication 800-53. Practical implications CI sectors are immediately able to adopt the CI cybersecurity capability framework to evaluate their levels of resilience against cyber-attacks, given new attack surfaces introduced by the interconnectivity of cyber-connected things between the enterprise and ICS levels. Originality/value The authors present an added dimension to the NIST framework for CI cyber protection. In addition to emphasising cryptography, IoT and cloud computing security aspects, this added dimension highlights the need for an integrated approach to CI cybersecurity resilience instead of a piecemeal approach.

Intelligent Intrusion Detection Based on Federated Learning for Edge-Assisted Internet of Things

As an innovative strategy, edge computing has been considered a viable option to address the limitations of cloud computing in supporting the Internet-of-Things applications. However, due to the instability of the network and the increase of the attack surfaces, the security in edge-assisted IoT needs to be better guaranteed. In this paper, we propose an intelligent intrusion detection mechanism, FedACNN, which completes the intrusion detection task by assisting the deep learning model CNN through the federated learning mechanism. In order to alleviate the communication delay limit of federal learning, we innovatively integrate the attention mechanism, and the FedACNN can achieve ideal accuracy with a 50% reduction of communication rounds.

Reinforcement Learning for Generating Secure Configurations

Many security problems in software systems are because of vulnerabilities caused by improper configurations. A poorly configured software system leads to a multitude of vulnerabilities that can be exploited by adversaries. The problem becomes even more serious when the architecture of the underlying system is static and the misconfiguration remains for a longer period of time, enabling adversaries to thoroughly inspect the software system under attack during the reconnaissance stage. Employing diversification techniques such as Moving Target Defense (MTD) can minimize the risk of exposing vulnerabilities. MTD is an evolving defense technique through which the attack surface of the underlying system is continuously changing. However, the effectiveness of such dynamically changing platform depends not only on the goodness of the next configuration setting with respect to minimization of attack surfaces but also the diversity of set of configurations generated. To address the problem of generating a diverse and large set of secure software and system configurations, this paper introduces an approach based on Reinforcement Learning (RL) through which an agent is trained to generate the desirable set of configurations. The paper reports the performance of the RL-based secure and diverse configurations through some case studies.

On the Assessment of Cyber Risks and Attack Surfaces in a Real-Time Co-Simulation Cybersecurity Testbed for Inverter-Based Microgrids

The integration of variable distributed generations (DGs) and loads in microgrids (MGs) has made the reliance on communication systems inevitable for information exchange in both control and protection architectures to enhance the overall system reliability, resiliency and sustainability. This communication backbone in turn also exposes MGs to potential malicious cyber attacks. To study these vulnerabilities and impacts of various cyber attacks, testbeds play a crucial role in managing their complexity. This research work presents a detailed study of the development of a real-time co-simulation testbed for inverter-based MGs. It consists of a OP5700 real-time simulator, which is used to emulate both the physical and cyber layer of an AC MG in real time through HYPERSIM software; and SEL-3530 Real-Time Automation Controller (RTAC) hardware configured with ACSELERATOR RTAC SEL-5033 software. A human–machine interface (HMI) is used for local/remote monitoring and control. The creation and management of HMI is carried out in ACSELERATOR Diagram Builder SEL-5035 software. Furthermore, communication protocols such as Modbus, sampled measured values (SMVs), generic object-oriented substation event (GOOSE) and distributed network protocol 3 (DNP3) on an Ethernet-based interface were established, which map the interaction among the corresponding nodes of cyber-physical layers and also synchronizes data transmission between the systems. The testbed not only provides a real-time co-simulation environment for the validation of the control and protection algorithms but also extends to the verification of various detection and mitigation algorithms. Moreover, an attack scenario is also presented to demonstrate the ability of the testbed. Finally, challenges and future research directions are recognized and discussed.

Cyberattack detection in vehicles using characteristic functions, artificial neural networks, and visual analysis

The connectivity of autonomous vehicles induces new attack surfaces and thusthe demand for sophisticated cybersecurity management. Thus, it is important to ensure thatin-vehicle network monitoring includes the ability to accurately detect intrusive behavior andanalyze cyberattacks from vehicle data and vehicle logs in a privacy-friendly manner. For thispurpose, we describe and evaluate a method that utilizes characteristic functions and compareit with an approach based on artificial neural networks. Visual analysis of the respective eventstreams complements the evaluation. Although the characteristic functions method is an order ofmagnitude faster, the accuracy of the results obtained is at least comparable to those obtainedwith the artificial neural network. Thus, this method is an interesting option for implementation inin-vehicle embedded systems. An important aspect for the usage of the analysis methods within acybersecurity framework is the explainability of the detection results.